jason franklin with sagar chaki, anupam datta, jonathan m. mccune, arvind seshadri, and amit...
Post on 19-Dec-2015
218 views
TRANSCRIPT
![Page 1: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/1.jpg)
1
Jason Franklin with Sagar Chaki, Anupam Datta,
Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan
Parametric Verification of Address Space Separation
Cylab & SEI @ Carnegie Mellon University
![Page 2: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/2.jpg)
2
Outline•D
efinition & Importance
Security Kernels
•How we model adversaries
Interfaces
•Data structure reduction
Parametricity
•Verification of source code
Refinement
![Page 3: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/3.jpg)
3
Security Kernels
• Security kernels utilize protection mechanisms to prevent actions that violate a security policy– OSes, hypervisors and web browsers
• Uses: cloud computing, online banking, DRM (PS3), malware testing, national security?, etc.
• Critically important to verify absence of security bugs
APP
Security Kernel
Adversary
SecurityPolicy
![Page 4: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/4.jpg)
4
State of the Art in Security Kernel Verification
• Manual/semi-automated verification– Similar goals, costly and time consuming (requires patience)
• SRI HDM, InaJo, Gypsy, UCLA, PSOS, [Heitmeyer et al.], seL4
• Model checking work for security kernels– Study non-parametric verification
• [Guttman et al.], [Lie et al.], [Mitchell et al.]
• Bug finding with adversaries– Unsound or incomplete methods
• [Kidd et al.], [Emmi et al.], [Bugrara and Aiken]
![Page 5: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/5.jpg)
5
State of the Art in High-Assurance Systems
• Security-critical components extracted and moved to hypervisor – Reduces system code size and interface
• < 10k L.O.C. and < 10 system calls
– Promising initial step to reduce complexity of verification• TRANGO Virtual Processor, Open Kernel Labs OKL4, VirtualLogix’s VLX, SecVisor
(CMU), TrustVisor (CMU), and many others
Hardware
OS
App
Hypervisor (TCB)
AppApp
Hardware
App
OS + TCB
AppApp
![Page 6: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/6.jpg)
6
Limitations of State of the Art
Limitations• Manual verification effort for theorem proving is high• Small TCBs alone don’t enable automated formal verification• Major source of complexity for model checking is size of data structures
Our Goal• Overcome limitations by exploiting structure of protection mechanisms
![Page 7: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/7.jpg)
7
Approach
Automatic source-level verification of OS protection mechanisms can be realized by:• Parametrically reasoning about protection data
structures and • Using refinement to carry verification down to source
code level
![Page 8: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/8.jpg)
Verification Process
Verification
Model system & property
Apply Parametricity to reduce data structure size
Source-level Verification
Relate abstract models and C code
Prove refinement &
build refinement
checker
8
![Page 9: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/9.jpg)
9
Scope
• Protection mechanisms of Xen, TrustVisor, SecVisor• Manages protection data structures, performs
permission and bounds checks
Systems
• Address separation, W xor X, access control
Properties
• Adversary constrained to system interface
Adversary model
![Page 10: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/10.jpg)
10
Outline
Security Kernels
•How we model adversaries
Interfaces
Parametricity
Refinement
![Page 11: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/11.jpg)
11
Interface-Constrained Adversary• Adversary model = arbitrary number of calls to system call
interface with non-deterministic inputs– Reduces complexity of adversary models, eases model checking
Kernel
A(*)
C(*)
B(*,*)
Kernel
Adversary
A(w)
C(z)
B(x,y)
Without Interface Abstraction Interface-constrained Adversary
![Page 12: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/12.jpg)
Example
*
*
*
Adversary-Controlled
eXe
Write
Authoritative
Sync ≡
foreach row do if (Secure) then copy
ReadWrite
12
Sys CallInterface
Sync(*)
Delete(*)
Add(*,*)
Key Insights:• Kernel page table is adversary-
controlled data structure• Sync copies adversary-controlled data
into memory • Adversary is constrained to interface
• I = {Sync(*) , Add(*,*) , Delete(*)}
![Page 13: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/13.jpg)
13
Common Examples
Remote Adversary
• Constrained to network interface
Malicious Process
• Constrained to OS system call interface
Malicious Web Gadget
• Constrained to browser interface
Malicious Peripheral
• Constrained to IOMMU interface
Adversary
![Page 14: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/14.jpg)
14
Outline
Security Kernels
Interfaces
•Data structure reduction
Parametricity
Refinement
![Page 15: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/15.jpg)
15
Protection Data Structures
R UM
W
WX KC
KD
Kernel Page Table
UM
X
W KD
KC
Shadow Page Table
SecVisor Sync ≡
foreach row do if (W XOR X) then Sync
R W
UM=User Memory KD=Kernel Data KC=Kernel Code
![Page 16: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/16.jpg)
16
Data Structure Size and Verification Complexity
• Security kernels operate on large data structures– Page tables, memory protection structures, etc.
• Complexity of automated verification increases exponentially with increase in data structure size
Page Table Entries States Space Time
3 55,000 8MB 2 sec
4 1,700,000 <256MB 360 sec
5 -- Out of Memory --
1024 -- -- --
Murphi model checking SecVisor security hypervisor with increasing page table size
Goal: automated verification techniques that scale gracefully
with increase in data structure size
![Page 17: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/17.jpg)
17
Hierarchical NestingRegisters
cr3
PDT
pde0
pde1
pde2PT
pte0
pte1
MemoryPT
pte0
pde3
Multi-level Page Tables Single-level Page Tables
PT
pte0
pte1
pte2
![Page 18: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/18.jpg)
18
Parametricity of System Data Structures
n 1
shadow_paging_sync ≡
foreach row do if (Row_Check) then modify row;
Row independent
Row uniform
![Page 19: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/19.jpg)
19
Apps
Security Kernel
Adversary
Small Model Analysis:Modeling Systems and Properties
• Model kernel and adversaries– Parametric Guarded Command
Language (PGCL)
• Express security properties– Parametric Temporal
Specification Logic (PTSL) Policy
SYS(n) ADV(n)
SK(n)
P(n)
![Page 20: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/20.jpg)
20
Language Design Challenges
• Balancing expressiveness with small model analysis – Conditionals– Whole array ops– Assignment– Parallel and sequential composition– Non-deterministic update
• Distinctive features – Modeling systems and adversaries:
whole array operations– Adversary: Non-deterministic updates
foreach row do
if (Condition) then Set row = x;
Adversary ≡
foreach row do row[0] = *;
![Page 21: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/21.jpg)
21
Parametric Programming Language
• Language for modeling system & adversary– Finite number of Boolean variables– System parameter: n– Single parametric array: P of size n x q– Parametric loop
• for i : P[n,q] do E ? C
Kernel Entry ≡¬ kernelmode ? kernelmode := ;⊤
for i : Pn,q do Pn,q[i][Write] = T ? Pn,q[i][eXe] := ;⊥
![Page 22: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/22.jpg)
22
SecVisor ModelKernel Entry ≡¬ kernelmode ? kernelmode := ;⊤
for i : Pn,q do Pn,q[i][SPTPA] = KC ? Pn,q[i][SPTRW] := ;⊥ Pn,q[i][SPTX] := ;⊤
…
Sync ≡ ⊤ ? for i : Pn,q do
⊤ ? Pn,q[i][SPTPA] := Pn,q[i][KPTPA]
Attacker ≡ ⊤ ? for i : Pn,q do
Pn,q[i][KPTPA] := ;∗ Pn,q[i][KPTRW] := ;∗ Pn,q[i][KPTX] := ∗
R UM
R X
WX KC
KD
Kernel Page Table
R UM
RW
X KC
KD
Shadow Page Table
Sync
![Page 23: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/23.jpg)
Expressive Specification Logic
Reachability properties • State formulas
• Universal, existential, and generic 23
Temporal logic specifications • Path formulas
• Subset of ACTL* with USF as atomic propositions
Propositions• Basic range over Booleans• Parametric range over rows of parameterized array
Execution Integrity:In kernel mode, only kernel code should be executable.It is stated as follows:
Pexec == MODE=KERNEL ( i P[i][eXe] (P[i][CodeType] = KC))⇒ ∀ ⇒
![Page 24: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/24.jpg)
24
Small Model Theorems
• Relate properties of System(1) to System(n), for all finite n– Sound: If small model is secure
then large model is secure– Complete: If small model is
insecure then large model is insecure
SMT
System(n)
System(1)
Verify
Secure!
Secure!
Insecure
Insecure
![Page 25: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/25.jpg)
25
Small Model Safety Theorem• System model
– Let gc(k) be any instantiated guarded command (i.e., any well-formed program)• Security property
– Let in GSF be any generic state formula• Forall i. P(i) , Exists i. P(i), or conjunctions of
• Initial state– Let Init in USF be any universal state formula (For all i. P(i))
• Definition: model exhibits if contains reachable state that satisfies
• Theorem: M(gc(k), Init) exhibits iff M(gc(1), Init) exhibits
• Thms with different initial conditions & properties in [Oakland2010]
![Page 26: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/26.jpg)
26
Small Model Analysis
Execution Integrity:In kernel mode, only kernel code should be executable.
In PTSL: Pexec == MODE=KERNEL⇒( i. P[i][SPTX] (P[i][SPTPA] = KC))∀ ⇒
System
SecVisor(n)
Adversary
W xor X
SYS(n) ADV(n)
RM(n)
Initial condition:SecVisor starts in kernel mode and only kernel code is executable
In PTSL: Init == MODE=KERNEL ^ ( i. P[i][SPTX] (P[i][SPTPA] = KC))∀ ⇒
SMT
SecVisor(1)Verify
mode = kernel AND FOREACH page in SPT, if eXe then page maps kernel code
If mode = kernel thenFOREACH page in SPT, if eXe thenpage maps kernel code
![Page 27: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/27.jpg)
27
Verification Results
• SecVisor (Shadowvisor, sHype, Xen), adversary, and properties expressible– Small Model Theorems apply
• Translate to Murphi, verify – Two vulnerabilities, repaired, verified • Two more in ShadowVisor
Secure Sync ≡ ⊤ ? for i : Pn,q do
(¬ Pn,q[i][SPTX] ∧ ¬ (Pn,q[i][KPTPA] = KC)) ? Pn,q[i][SPTPA] := Pn,q[i][KPTPA]
Sync ≡ ⊤ ? for i : Pn,q do
⊤ ? Pn,q[i][SPTPA] :=Pn,q[i][KPTPA]
![Page 28: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/28.jpg)
28
Extending Parametricity Results
page_fault (u32 addr) {
pdt = get_pdt(addr);
if (pdt is ADDR) { if (pdt < MAX) copy; } else { if (getpde(addr) < MAX) copy; }}
Complexities and Solutions• Multiple, linked, parametric arrays
• Extended PGCL to handle multiple parametric arrays
• Added nested quantifiers to PTSL• New small model theorems
![Page 29: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/29.jpg)
29
Related Work
• Parametric verification for correctness– Missing whole array operators (adversary) or less efficient
• [Lazic et al.] and [Emerson and Kahlon]
– Incomplete methods (environment abstraction)• [Clarke et al.] and [Talupur et al.]
• Parametric verification for security– Focus on security protocols
• [Lowe et al.], [Roscoe and Broadfoot], [Durgin et al.], [Millen]
![Page 30: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/30.jpg)
30
Outline
Security Kernels
Interfaces
Parametricity
•Verification of source code
Refinement
![Page 31: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/31.jpg)
Towards Source Level VerificationC codepage_fault (u32 addr) { pdt = get_pdt(addr); if (pdt.ADDR) { if (pdt < MAX) copy; } else { if (getpde(addr) < MAX) copy; }}
Guarded Command Representationpage_fault ≡ pdt.ADDR && pdt < MAX ? Pn,k[i][ADDR] := Pn,k[i][ADDR];
!pdf.ADDR && pde(pdt) < MAX ? Pn,k[i][ADDR] := Pn,k[i][ADDR];
1. Convert
Language containment
refinement
Convert C code to guarded commands
(GC)
Check language containment to
prove GC is in PGCL
Yes, results apply.
No, modify or results do not apply.
31
2. Check language containment
Refinement Theorem
![Page 32: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/32.jpg)
Verification
Verification
1. Model system & property
Apply Parametricity to reduce data structure size
2. Source-level Verification
Relate abstract models and C code
Prove refinement
& build refinement
checker
Adversary abstraction to
identify security-relevant code
Prove soundness &
build abstractor
32
Complete
In Progress
![Page 33: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/33.jpg)
33
Expressiveness and Limitations
• PGCL/PTSL can model:– Protection mechanisms that are
row independent and row uniform
– Policies that are expressible as FSA over rows (safety properties)
• Developed compilation to convert FSA policy to PGCL reference monitor
![Page 34: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/34.jpg)
34
Assumptions and/or Limitations
• Verification– Applies to row-uniform, hierarchical-row independent
systems (expressible in PGCL)– Properties expressible in large subset of ACTL*/X– Currently at model level and some source-level guarantees– Assumptions about semantics of C, correctness of model
checker, translation tools, and of proofs• Validation
– Security properties might not be right properties or strong enough
– Adversary model may not match reality
![Page 35: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/35.jpg)
35
Related Work• Model checking for security
– Study non-parametric verification of secure systems• [Guttman et al.], [Lie et al.], [Mitchell et al.]
• Bug finding with adversaries– Unsound or incomplete methods
• [Kidd et al.], [Emmi et al.]
• Operating system verification – Manual/semi-automated verification
• [Walker et al.], [Heitmeyer et al.], [Klein et al.]
![Page 36: Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d2d5503460f94a035dd/html5/thumbnails/36.jpg)
36
Conclusions
• Towards scalable automated source-level verification of protection mechanisms– Adversary abstraction reduces model complexity– Parametric reasoning reduces data complexity
• Small model theorems relate small/large models• Application to SecVisor, sHype, Shadowvisor, & Xen
– Refinement theorem pushes guarantees to source• Outlined path to source level verification– Building models is time-consuming, costly, and error-prone – In progress, proof of refinement theorem
Questions?More info @
http://www.cs.cmu.edu/~jfrankli